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An extractor is a function E that is used to extract randomness. Given an imperfect random 
source X and a uniform seed Y, the output E(X, Y) is close to uniform. We study properties 
of such functions in the presence of prior quantum information about X, with a particular focus 
on cryptographic applications. We prove that certain extractors are suitable for key expansion in 
the bounded storage model where the adversary has a limited amount of quantum memory. For 
extractors with one-bit output we show that the extracted bit is essentially equally secure as in the 
case where the adversary has classical resources. We prove the security of certain constructions that 
output multiple bits in the bounded storage model. 
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I. INTRODUCTION 

The aim of randomness extraction is to generate "al- 
most uniform" randomness given an imperfect source of 
randomness X. The term "extractor" is generally used 
to describe a procedure which accomplishes this task; 
more formally, an extractor is a (deterministic) function 
E : X x y — > Z which, when applied to an imperfect 
source X and a uniform and independent seed Y , yields 
an output Z := E(X, Y) which is close to being uniformly 
distributed on Z. Such an extractor is characterized by 
a number of parameters. Among these are the amount 
of randomness Y that is required, the amount of ran- 
domness Z produced, and, most importantly, the char- 
acter of the sources X which lead to almost uniform out- 
put. A very general class of sources are the weak sources 
X, characterized by a lower bound on the min- entropy 
H 00 (X) :— — log max x Px (x) . Correspondingly, a (k,e)- 
extractor [l[ commonly refers to an extractor which, for 
any input distribution Px with if^X) > k, outputs 
e-uniform randomness Z. 

Besides purifying randomness, extractors are an essen- 
tial tool in computer science, in particular in complexity 
theory and cryptography. Correspondingly, the study of 
such extractors has been a major research topic in recent 
years, and much understanding has been gained (see @ 
for a review). For applications in computer science, the 
challenge is to find explicit, efficiently computable extrac- 
tors with good parameters. 

In a cryptographic context, a certain variant of the 
concept of a (k, e)-extractor is of particular importance. 
These are called strong extractors; they have the addi- 
tional property that even the pair (Y, E(X, Y j) is e-close 
to uniform. This means for example that (Y,E(X, Y)) 
can be used to encrypt a message M = (M 1; M 2 ) using 
a one-time pad [3] as C = (Ci, C 2 ) = (Mi © Y, M 2 © 
E(X,Y)). An adversary who learns the cipher-text C as 
well as the message Mi (and thus the seed Y) will be 
completely ignorant of the content of the remaining mes- 
sage M 2 . Expressed differently, the pair (Y,E(X,Y)) is 



a key with universally composable security [5| . 

A more striking application of strong extractors in 
cryptography is privacy amplification, introduced by 
Bennett, Brassard and Robert [6[ and further analyzed 
in [3]. This refers to a technique that allows two parties, 
Alice and Bob, to generate a secret key Z from a shared 
random variable X about which the adversary has partial 
information E. The only assumption is that the parties 
are connected by an authentic but otherwise completely 
insecure channel. The key Z is then obtained as follows: 
Alice generates an independent uniform seed Y and sends 
it over the channel. Subsequently, both parties apply a 
strong extractor to get Z := E(X, Y). The security of Z 
when used as a secret key directly follows from the prop- 
erties of the strong extractor, assuming a certain bound 
on the information E of the adversary. 

Apparently related to privacy amplification, but con- 
ceptually quite different, is Maurer's bounded storage 
model 8| . The first security proof for general adversaries 
in this model was obtained by Aumann, Ding and Ra- 
bin [9( and essentially optimal constructions were subse- 
quently found in a sequence of papers [l(| [HI G3. Its 
aim is not key extraction, but key expansion. In this set- 
ting a large amount of randomness X is publicly, but 
only temporarily available. Alice and Bob use a previ- 
ously shared (short) secret key Y to obtain additional 
key bits Z = E(X, Y) using a strong extractor. The seed 
Y remains hidden to the adversary until (possibly) after 
the execution of the protocol. The adversary is assumed 
to have only a bounded amount of storage (which may 
be much larger than the honest parties' memory). As 
a result, his information E about X is limited, once X 
becomes inaccessible, and by the properties of the extrac- 
tor, Z can be shown to be secure even if he later obtains 
the seed Y (this was referred to as "everlasting security" 
in!). 

From a cryptographic viewpoint, a natural generaliza- 
tion of these scenarios is arrived at by allowing the ad- 
versary to have quantum information Q instead of only 
classical information E about X. This modification is 
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not merely of theoretical interest. Indeed, the only con- 
struction proved to be secure 
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llq for privacy 

amplification has found various applications in quantum 
cryptography. Besides simplifying and improving secu- 
rity proofs for quantum key distribution [l7j|, the 
quantum version of privacy amplification has been used 
to derive both possibility [l8l | and impossibility re- 
sults for tasks such as bit commitment or oblivious trans- 
fer. 

While the problem of constructing strong extractors is 
well-studied, little is known about the security resulting 
from their use in a quantum context. For the bounded 
storage model, Gavinsky, Kempe and de Wolf [2(| re- 
cently gave an example of an extractor which yields a 
classically secure key, but is completely insecure against 
an adversary with a similar amount of quantum storage. 
There is no construction for the bounded storage model 
that is known to be secure against a quantum adversary. 

In this paper, we study properties of strong extrac- 
tors in a context where the adversary has quantum in- 
formation, with the two cryptographic settings described 
in mind. We give the first constructions of extractors 
that are usable in the bounded storage model against a 
quantum adversary, and we show that certain strong ex- 
tractors generate secure key bits in the setting of privacy 
amplification. This allows to reduce the amount of com- 
munication needed in certain applications. Our construc- 
tions achieve the most desirable type of security, that is, 
the extracted keys are universally composable (la. l2lH22| . 



Outline 

In Section [TT] we introduce the relevant definitions. In 
Section Hm we show that any strong extractor which out- 
puts a single bit yields essentially the same degree of se- 
curity in a cryptographic setting, irrespective of whether 
the adversary has quantum or classical information. We 
then use a hybrid argument in Section IIVI to obtain ex- 
tractors that output several bits. In Section[V]we explain 
how these extractors can be used in the bounded storage 
model. Finally, we show that general strong extractors 
can be used in the setting of privacy amplification in Sec- 
tion [VlJ We conclude in Section IVlII 



A. Notation 

Throughout this paper, all logarithms are binary, 
i.e., to base 2. For a random variable X with 
range X, we define the min- entropy of X as H OQ {X) :— 
— logmax x Px(x). More generally, for a quantum state 
Pq on a Hilbert space Q, H oc (Q) is the min-entropy of the 
distribution of eigenvalues of pq. Analogously, the max- 
entropy is defined as H (X) := log |supp(Px)| = log 
and H {Q) := logrank(pQ), respectively. Expressed dif- 
ferently, Hq(Q) is the number of qubits constituting sys- 



tem Q. For a function g : X — > M, we denote by 

the expectation of g(X) over a random choice of x <— Px- 
We also use the notation Px ■ Py to refer to the joint 
distribution of two independent random variables X and 
Y, that is, Pr[X = x,Y = y] = P x {x) ■ P Y (y) for all 

(x, y )exxy. 

In the sequel, Q refers to a quantum system, whereas 
E, V, W, X, Y and Z are assumed to be classical. 
Slightly abusing notation, we sometimes refer to the 
Hilbert space corresponding to a classical-quantum state 
(cq-state) pxQ by X <£> Q. We denote the completely 
mixed state on X by pu x - 

We will sometimes use classical-quantum states with 
multipartite classical parts, e.g., a ccq-state Pxyq- For 
such a state pxyq, we say that Y <-> X <-> Q forms a 
Markov chain if it has the form 

Pxyq = ^2PxY(x,y)\xy)(xy\(g> p x (1) 

for some states {p x }xex on Q. A state with this property 
defines a distribution Pxy, which defines the conditional 
distributions Px\Y=y and, for any function / : X x y — > 
Z, the distribution Pjcx,y)xy- The corresponding con- 
ditional states PxQ\Y=y are obtained by making the ap- 
proriate replacement in Eq. ([Tj). i.e., 

PXQ\Y=y^^Px\Y=y(x)\x){x\®p x . 

x 

Similarly, we can define the cccq-state 

Pf(x.y)XYQ =^2PxY{x,y)\f(x,y)xy)(f{x,y)xy\®p x , 

x,y 

which in turn gives rise to states such as Pf(x,y)XQ\Y=y 

We will use the trace norm ||A|| := itr(V At A) for any 
operator A. Note that if pxQ and ax'Q' are cq-states on 
X (g) Q, then 

Wpxq - o-x'Q'\\ = H^OK - Px>{x)a x \\ . (2) 

xeX 

For two probability distributions P and Q on X, the trace 
norm of their difference (when identifying the distribu- 
tion with a state), i.e. \\P— Q\\ := \ J2xex \P( X ) ~ Q( x )\ 
is also known as the variational distance. 

Let p X Q = J2x&x Px{x)\x)(x\®p x be a cq-state. Con- 
sider a fixed POVM £ := {E z } zeZ on Q. We denote by 
Pxz = Pxe(Q) the joint distribution of X and the mea- 
surement outcome, i.e., 

Pz\x=x(z)=tr(E z p x ) 
for every z € Z and x £ X. 
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We will often encounter scalar quantities d that are 
functions of a given distribution or a quantum state, i.e., 
d = d(Px) or d = d{po). In these cases, we use the short- 
hand d(X) or d(Q). Similarly, we write d(Q\W = w) 
instead of d{pq\w=w)- More generally, we will consider 
quantities that depend on a specific bipartition of a state 
Pze into Z and E; in these cases, we write d(Z <- E). 
Again, we use the notation d(Z «- E\W = w) to de- 
note the corresponding quantity for the conditional state 

PZE\W=w 

II. EXTRACTORS AND SECRET KEYS 

A. Classical adversaries 

Before reviewing the definition of strong extractors and 
various of their basic properties, let us introduce a short- 
hand notation for the non- uniformity, a quantity which 
measures the extent to which a probability distribution 
of a random variable Z deviates from the uniform distri- 
bution, possibly given another random variable E: 

Definition 1. Let Pze be an arbitrary distribution. The 
non-uniformity d(Z «- E) of Z given E is defined as 

d(Z^E) := \\Pze - Pu z ■ Pe\\. 

Here Pe is the marginal distribution of Pze, and Pu z 
denotes the uniform distribution on Z. 

Note that d(Z) is simply the distance of the distribu- 
tion Pz from the uniform distribution. A strong extrac- 
tor can then be defined as follows. 

Definition 2. A strong (k, £)-extractor is a function E : 
X x y —t Z with the property that 

d(E(X,Y) <- Y) = \\P E{ x,Y)Y ~ Pu z ■ Pu y \\ < e (3) 

for all distributions Px with H^X) > k. Here Y is 
independent of X and uniformly distributed on y. 

The definition implies that E(X, y) is close to being 
uniformly distributed on Z on average over the random 
choice of y <— Py (cf. Eq. (|A3p ). In other words, if X is 
chosen according to Px and Y is uniformly distributed 
and independent of X, then E(X,Y) is indistinguishable 
from uniform, even given Y. 

In a cryptographic setting, the security of the extracted 
key Z := E(X,Y) with respect to an adversary who is 
given Y is exactly characterized by Eq. ([3]). Indeed, ex- 
pression ([3]) quantifies how distinguishable the real sys- 
tem (consisting of (Z,Y)) is from the ideal system, in 
which Z is uniformly distributed and independent of Y. 
This is easily generalized to a setting where the adversary 
is given additional information about X. The additional 
information can be in the form of a classical random vari- 
able (i.e., bits) that is jointly distributed with A or a 
quantum state (i.e., qubits). 



In case the adversary has classical information about 
X expressed by a random variable E, one can show that 
this simply reduces the min-entropy of A. If E gives 
little information about A it follows that even given E 
and Y , the extracted bits look random. This intuition is 
made explicit in the following proposition (all proofs in 
this section can be found in Appendix |B| : 

Proposition 1. Let E : X x y — ► Z be a strong (k,e)- 
extractor. Let Pxe be a distribution with 

H e (X <- E) > fc + logl/e . (4) 

Here the guessing- entropy H g (X «- E) of X given E is 
defined as 

H g (X <-£):=- logmaxPr[A = X] , 
x 

where the maximum is taken over all random variables 
X such that X «-> E «-> A forms a Markov chain. Then 

d(E(X,Y) <- YE) < 2e , 

where Pyxe ■= Pu y • Pxe- 

Note that if E is trivial or independent of X the guess- 
ing entropy H g (X <- E) of A given E is equal to the min- 
entropy H 00 (X) of A. Proposition [1] can be applied in 
the bounded storage model because the limitation on the 
adversary's storage implies that his information about A 
is bounded. More precisely, the guessing probability has 
the following intuitive property. Any (additional) piece 
of information W does not increase the success probabil- 
ity in guessing by a significant amount if the size of W 
is small. More trivially, independent information V does 
not affect the guessing probability. We express this for- 
mally in Lemma [TJ versions of this statement are implicit 
in [lj, and more explicitly given in [23| . 

Lemma 1. Consider a distribution Pxvwe with Pxv = 
P x ■ Pv and VW <-> A <-> E. Then 

H g {X <- VWE) > H g (X <- E) - H (W) . 

Ln particular, for every £ > 0, 

H g {X <- E\V = v,W = w)> H g (X <- E) -H Q (W) -log 1/e 
with probability at least 1 — e over (v,w) <— Pvw- 

B. Quantum adversaries 

Let us now discuss the challenge posed by quantum 
adversaries. Our aim is to show that, similarly as in the 
classical case, the extracted bits E(A, Y) are secure even 
if the adversary is given Y . Such an adversary prepares 
a quantum state p x on Q that depends on A = x. To 
obtain maximal information about E(A, Y), he performs 
a measurement on his quantum system Q which depends 
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on Y. As a result, his (classical) information E is no 
longer independent of Y. This means that we cannot 
view this as merely a reduction of the entropy of the 
source X. Thus we cannot directly prove a statement 
like Lemma [T] when E is replaced by a quantum system 
Q. In particular, due to the effect of locking [241 , we 
know that there exist short classical keys (Y) that can 
unlock a lot of classical information (about X) stored in 
a quantum system Q. In the first part of this paper we 
will show that if the extractor E extracts a single bit, we 
can preclude such locking effect fTheoreni lIII.il) . 

Before embarking on this analysis, we point out the 
following straightforward result. If the adversary's mea- 
surement does not depend on Y we can essentially ap- 
ply the classical security proofs. That is, the adver- 
sary's measurement produces some classical information 
E which can be viewed as reducing the entropy of the 
source X. If the size of the quantum system is suffi- 
ciently small, then the random variable E does not give 
much information about X and therefore the extracted 
bits look random even to such an adversary. These state- 
ments are expressed in the following two lemmas. 

Note that we can generalize the guessing-entropy of X 
given Q to the case where Q is a quantum system. Let 
Pxq ■= J2xex Px(x)\x)(x\ ® p x be a cq-state. Then 

H g (X <- Q) := - log max ^ P x {x)tr{E xPx ) , (5) 

where the maximum is taken over all POVMs £ := 
{E x } x£X on Q. 

We now state the non-adaptive quantum version of 
Proposition!!] It is a direct consequence of the reasoning 
above. 

Proposition [TJ. Let E : X x y Z be a strong (k,e)- 
extractor, and let T be a POVM on Q. Then for all 
cq-states pxQ with 

H e (X ^ Q) > fc + logl/e , 

we have 

d(E(X,Y) <- YT(Q)) < 2e . 

The following is the quantum analogue of Lemma [T] 
(its proof can again be found in Appendix [B| . It states 
that a short additional piece of classical information W 
does not help much in guessing X if the quantum system 
Q depends only on X. Again, additional independent 
information V does not help either. 

Lemma [T]. Consider a cccq-state pxvwQ with pxv — 
Px <8 pv and VW <-> X Q. Then 

H g (X «- VWQ) > H g (X <-Q)- H Q (W) 

and with probability at least 1 — e over (v, w) <— Pvw, we 



have 

H g (X <- Q\V = v,W = w) > H g (X <- Q)-H Q {W)-\ogl/e . 

We now state more precisely what we are aiming to 
prove about strong extractors. Note that Lemma [1] only 
gives a weak security guarantee for the extracted bits 
E(X,Y) - they are only shown to be secure against an 
adversary who measures his quantum state before receiv- 
ing Y. To discuss the stronger type of security we aim 
for, we first state the definition of the non-uniformity in 
the quantum case. 

Definition 3. Let pzQ be an arbitrary cq-state on Z®Q. 
The non-uniformity d(Z <- Q) of Z given Q is defined as 

d(Z «- Q) := \\pzQ - p Uz ® PqW - 

where pu z denotes the completely mixed state on Z. 

We describe a few basic properties of this definition in 
Appendix [A] In a cryptographic setting, the condition 
d(Z <- Q) < e for some small e means that the key Z is 
secure in a setting where Q is controlled by the adversary; 
as explained in [ll| (see also [llllilj]), such a key is, with 
probability at least 1 — e, equivalent to a perfectly secure 
key. 

In the sequel, we aim to show that d(E(X, Y) <- YQ) 
is small for certain strong extractors E and appropriate 
parameters. This means that the extracted bits are se- 
cure even if the adversary is given Y in addition to his 
quantum system. 

In the next section, we will show that for extractors 
with binary output, the quantity of interest can in fact 
be bounded by considering an adversary whose strategy 
does not depend on Y, i.e., he performs a measurement 
independent of Y as in LemmaQJ. We then use this result 
in Section IIVI to construct strong extractors that output 
several bits. 



III. EXTRACTORS WITH BINARY OUTPUT 

We will first sketch the arguments in this section. For 
an extractor e : X x y — > {0, 1} with binary output the 
non-uniformity of the extracted bit Z — e(X, Y) given 
Y and the quantum system Q can be directly related 
to the success probability in distinguishing two quantum 
states Pq and p\, for each y e y. For a given y these 
are the (generally mixed) states of the adversary, condi- 
tioned on the extracted bit being or 1, res pec tively. We 
modify an argument by Barnum and Knill [25[ to bound 
the optimal success probability in distinguishing p^ from 
Pi for a given y in terms of the success probability re- 
sulting from the use of a pretty good measurement [26[ 
£p„ m - On the other hand, we will show that there exists 
a POVM T which refines all the pretty good measure- 
ments {£p gm }yey simultaneously; i.e., the outcome of the 
measurement £^„ m can be obtained by applying T and 
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classical post-processing. This POVM T is a pretty good 
measurement defined by the states {p x }x£Xi the condi- 
tional states of Q given X = x, or, in the bounded storage 
model, the states that the adversary prepares upon see- 
ing X. Since the refined measurement T does not depend 
on y, we know that it cannot be superior to any classi- 
cal strategy, see Proposition [TJ, and we obtain the main 
result of this section, Theorem lIII.ll 

In the next lemma we bound the non-uniformity 
d(Z <- Q) of a cq-state p ZQ := J2 z e{o,i} Pz\ z )( z \ ® Pz 
with binary classical part using a pretty good measure- 
ment. 

Lemma 2. Let p ZQ := J2 z e{o,i}Pz\ z )( z \ ® P* be a c 1~ 
state with binary classical part. Then 

d(Z <- Q) < ^2d(Z «- £ Pg m{Q)) + d(Z) , (6) 

where £ pgm is the pretty good measurement defined by 
Pzq, i.e. the POVM elements of this measurement are 

E z ■= PzP q 1/2 PzPq 1/2 for z G {0, 1}. 

Proof. By definition 

1 i 

d(Z ^Q) = ^2 Wp*P* ~ 2 P °H = IboPo -PiPill, (7) 

z=0 

Let A := p p -piPi and let A =: A + -A" with A + > 0, 
A~ > be the decomposition of A into a nonnegative 
and a negative part. Then 

Ibopo - pi/Jill - l^r{A+) + tr(A-)) 

= tr(A+)-itr(A) 

= tr(PA)-i(po-j>i), 

where P is the projector onto the support of A + . We will 
do some work to show that 

tr(PA) < ^2d{Z <-£ pgm (Q)) , (8) 

where £ pgm is the pretty good measurement that distin- 
guishes pi and p\. By noting that 

~\(P0 ~Pl) < \\P0 -Pl| < \ (\P0 -\\ + bl - 

= d(Z) , 

we obtain the desired result, Eq. ([6|). Consider thus the 
quantity tr(PA). We can bound 

tr(PA) < ^tr(AtA)tr(Bts) (9) 
by applying the operator Cauchy-Schwarz inequality to 



the operators 

A := pfYpf 
B := pf<*Apf<\ 

But 

tr(At J 4)=tr(^ /2 Pp^ /2 P) 

< tr(pfPp^) 

< tr(p Q ) = 1 (10) 
where we used the fact that P < 1 and the fact that 

1 /2 1 /2 

Pq ^Pq is nonnegative. On the other hand, by the def- 
inition of the pretty good measurement £ pgm — {E ,Ei} 
we have 

tr(B^B)=tr(p Q 1/2 Ap Q 1/2 A) 
= tr(£ A) -tr(^iA) 

= Psucc{£pgm) ~ Pl^(E Pl) -p tr(-BiP ) 

— ^Psucc{£pgm) 1 ■ (H) 

Here we have used the definition of the success proba- 
bility P succ ({£;o,£i}) := p tr(E Q p ) + p 1 tr(E 1 pi), and 
the fact that Eq + Ex = 1 and Po + Pi = 1 in the 
last step. Note that probability of success P succ (£) 
for a fixed POVM £ is the same as the probability of 
successfully distinguishing an instance drawn from the 
distribution £(po) and £ (pi), respectively, with a pri- 
ori probabilities po and p\. Now we invoke Helstrom's 
theorem [27| which says that the success probability of 
distinguishing two quantum states 00 aid oi with pri- 
ors po and p\ using an optimal POVM £ opt is equal 
to P S ucc(£opt) = I + \\po&o - Pi<ti\\. We apply this 
theorem for a z = £ pgm {p z ) and write P SUC c(£p gm ) = 
\ + d(Z <- £ pgm {Q)) (cf. Eq. (J7J). Combining this with 
Eqs. ©, (UHl) and (JTTJ) yields Eq. ©, as desired. □ 

Now the goal is to bound the non-uniformity 
d(e(X, Y) «- YQ) for extractors e with binary output 
when Q is a quantum system which depends on X. For 
this we consider the cccq-state pzxyq = Pe(x,Y)XYQ 
which has the form 

Pzxyq = ^2 P x {x)PY{y)\xyz)(xyz\® p x , 

y,x,z=e(x,y) 

(12) 

where Py{v) = ]yy for every y E y. For this state one can 
express the non-uniformity d(Z *- YQ) as (cf. Eq. {5}) 

i/<— /V — Z 

2£{0,1} ^ 

(13) 

Note that Pz\x=x,y=v( z ) ^ s 1 or 0' depending on whether 
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or not e(x,y) = z. It is straightforward to verify that 

VlPl ■= Pz\Y=y{z)Px\Y=y,Z=z{x)Px 

= P Z\X^.Y=y{z)Px{x)p x , (14) 

xGX 

where we introduced for each y £ y and z £ {0, 1} the 
density matrix 

Pz : = E Px\Y=y,Z=z{x)Px , (15) 
x£X 

with the normalising factor 

Vl := Pz\Y= y (z) = ^[efo y) = z] . (16) 

The state p~f is the state of Q conditioned on e(JT, y) = z; 
for any given y £ y, the two states Pq and pf have a priori 
probabilities p| with z £ {0, 1}. From this definition, it 
is clear that 

which is independent of y. This observation will be es- 
sential in the proof of the following theorem. 

Applying Helstrom's theorem gives an intuitive inter- 
pretation of the quantity of interest (which we state, but 
do not need later in the proof): h + d(e(X,Y) «- YQ) 
is the maximal average success probability when distin- 
guishing and p \ with a priori probabilities p v {) and p \ , 
over random y <— Py . This follows by combining Eq. (|17p 
with Eq. (T3J) and Eqs. [p] ) , (p] ) . 

We are ready to derive the main result of this section: 

Theorem III.l. Let e : X x y — > {0, 1} 6e a strong 
(k,e)- extractor. Then for all pxq with 

H g (X «- Q) >k + \og\/e , 

we have 

d(e(X,Y)^YQ) < 3Vi , 
where pyxq ■= Pu y ® Pxq- 
Proof. By Eq. ||2} (cf. Eq. (|A3|) ) we can express 

d(e(X, F) «- FQ) = E [d(e(X, y) «- Q)] . (18) 

We can apply the pretty good measurement bound of 
Lemma [2] for each y £ y to the state p e (x,y)Q = 
E 2 e{o i}?'zI z )( z I ( X 1 Pzj where the density matrices pf and 
their associated probabilities pf are defined in Eqs. (TT5]> 
and ([IS]). We get 

d(e(A, y)<-Q)< ^2d(e(X,y)^£y gm (Q)) + d(e(X, y)) 



for every y £ y. Taking the expectation over y «— _Py 
again and using the convexity of the square root gives 

d(e(X, Y) <- YQ) < J E [2d(e(A, y) Z £ y pgm {Q))] 

+ d(e(X,Y) <-Y) (19) 

by Eq. © (see also Eq. CM}). Since 

Hoo(X) > H g (X «- Q) , 

the second term in Eq. (fl9|) is upper bounded by e. Let 
us now consider the details of the pretty good measure- 
ment £ y gm . The measurement £$ gm = {-E*}*e{o,l} is 
determined by the POVM elements 

E v z ■=p v z (G y )- 1/2 p y z {G v )- 1/2 (20) 

where, as argued above (Eq. ([T7|)). 

GV = J2PzPl=PQ ■ (21) 

z£Z 

is independent of y. This fact allows us to define a new 
pretty good measurement T which does not depend on y, 
but is equally good or better in estimating Z from Q and 
F. This new pretty good measurement J- = {F x } xe x 
has POVM elements 

jp r> r \ -i/2 -i/2 
F K := P X [x)p Q PxPq 

Expressed differently, T is simply the pretty good mea- 
surement defined by the ensemble {Px(x),p x }. From 
Eqs. (J1J) , (|2H)) and (j2"Tj) above one can see that 

^ = E P Z\X=x,Y=yiz)Fx (22) 

In other words, the results of the measurements 
{£p gm }y£y can in fact be obtained by first estimating x 
by measuring the quantum system Q with T = {F x } x ^x- 
Then we infer z for a given y by computing z — e(x,y). 
On a more technical level, one needs to show that for ev- 
ery y £ y the non-uniformity given the measurement out- 
come of the measurement £^ gm is smaller than or equal 
to the non-uniformity given the outcome of the refined 
measurement T . We have summarized these technical 
details in Lemma [6] proved in Appendix ICl Formally, we 
have 

d(e(X, y) «- q gn (Q)) < d(e(X, y) «- T(Q)) . 
Taking the expectation over y *— Py gives (cf. Eq. (|A3[) ) 
E [d(e(X,y) ^ £y gm (Q))} < d(e(X,Y) - YT{Q)) . 

y^P Y 

Since T does not depend on y we have reduced our prob- 
lem to the simple scenario where the quantum system is 
measured before the adversary obtains y. Thus we can 
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apply Proposition [TJ, 

d(e(X, Y) <- FJ="(Q)) < 2e . (23) 
We conclude with Eq. (fT9|) that 

d(e(X,F) <- YQ) < 2^ + e , 
hence the claim follows. □ 

We now show that even if the adversary is given ad- 
ditional information V which is independent of X and 
a short bit string W which might depend on X, the ex- 
tracted bit looks secure. This statement will be used be- 
low to prove that certain extractors which output several 
bits can also safely be used in a cryptographic context 
(cf. Theorem HEU). 

Corollary III. 2. Let e : X x y — > {0, 1} be a strong 
(k, s)- extractor. Let pxvwQ be a cccq-state with pxv — 
Px <8 pv, VW <-> X «-> Q and 

H S (X <- Q) >k + H (W) + 2logl/e . 

Then 

d(e(x, y) 4- yy < 4Vi , 

w/iere pyxyivQ := Pu y ® Pxvwq- 

Proof. Let a := d(e(X, Y) <- YVWQ) be the quantity of 
interest. Then by Eq. © (see also Eq. f&2|l ). 

a= E [d(e(X,y)<-Y"Q|y = u,W = to)] , 

where the term in brackets is the non-uniformity 
of e(X, Y) with respect to the conditional state 
Pxq\v=v,w=w By Lemma [U, we have 

H g (X <- Q|V = v,Ty = w) > fe + logl/e (24) 

with probability at least 1— £ over random (v, w) <— Pvw- 
For any (u, w) for which Eq. (|24p is satisfied, we have 

d(e{X, Y) <- yQ|y = u, w = w) < 3^ 

by Theorem HTLT] Thus 

a < 3y/e + e , 

and the claim follows. □ 

IV. EXTRACTORS WITH NONBINARY 
OUTPUT 

In this section we will consider strong extractors which 
output several bits. We first show how to use indepen- 
dent seeds yi, . . . , y m to extract m bits. The security of 
the extracted bits in the quantum setting will follow from 
applying our bound for binary extractors, Theorem lIII.ll 



in combination with a quantum version of the so-called 
hybrid argument. By a similar technique, we will show 
how to extract more bits under stronger assumptions. 
Let us first discuss the hybrid argument. 

Consider a cq-state of the form pzq, where Z = 
(Zi, . . . , Z m ) is an m-bit string. We aim to find a bound 
on d{Z «- Q) in terms of non-uniformities of binary ran- 
dom variables. 

By definition, we have 

d{Z^Q) = \\p ZQ -fi™^® PQ \\ . 
Let us define for i = 0, . . . , m the states 

p {l) ®p*q 

on {0, l} m ® Q, where we use the abbreviation z % := 
(zi,...,Zi) to refer to the first i bits of z £ {0, l} m . 
Clearly, we have p(™> = p ZQ and = pg™ i} ®p Q . We 
use the "telescoping" sum 

m— 1 

p (0) _ pim) = J- p« - , 
i=0 

which by the triangle inequality implies that 

m— 1 

d(Z^Q)<Y. \\P (%+1] - P (€) W ■ 

i=0 

But 

iip (i+1) - P {t} \\ = \\pZT 1 ® - *C:> ® ^'oii 

= IIAzWQ - PU {0 , lt ®PZ*q\\ 

= \\pz 1+1 z*q - Pu {0A} ® PziqW 
We thus arrive at the following conclusion 
m— 1 

d(Z <- Q) < d ( z >+i *- Z 'Q) ■ ( 25 ) 

Let us now state and prove the main theorem. 

Theorem IV. 1. Let e : X x y — ► {0, 1} be a strong 
(k,e)- extractor, and let 

E m : X x y m -» {0, l}" 1 
(x,yi, ...,y m ) !->■ (e(x,yi), . . . ,e(a;,y m )) . 

T/ien /or a/Z cq-states pxQ with 

H g (X <- Q) > fc + m + 21ogl/e , (26) 

we /lave 

d(E m pc,y m ) «- y m g) < 4mx/i , 

where py^xq ■= pu ym <8 Pxq- 
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Proof. We use Eq. ([25]) to get 

d(E m (X,Y rn ) <- Y m Q) < d{Z l+1 «- Z i Y m Q) , 

i=0 

(27) 

where Z m = E m (X, Y m ). Observe that {Y i+2 , . . . , Y m ) is 
independent of Z l+1 Y l+1 Q, which by Eq. (|A4|) gives 

d(Z l+1 <- ZY m Q) = d(Z l+1 «- Z l y I+1 Q) . (28) 

But 

d(z i+ i <- z J y l+1 Q) = d(z m <- y +1 z l y l Q) 

= d(e(X, Y) «- YE l (X, Y l )Y l Q) 

where Y = Y i+ i. Applying Corollary [III.2I to (V,W) = 
{Y\E l {X,Y 1 )) yields 

d(Z l+1 <- Z l F 4+1 g) < 4^ (29) 

for every i = 0, . . . ,m— 1. We have made use of the fact 
that ff (W) = flo^^Y*)) < ™ by definition. The 
claim then follows from Eqs. (37J, and (J2SJ). □ 

In the next section, we study the implications of The- 
orem IIV.1I for the bounded storage model. We will see 
that the bound on the storage of the adversary trans- 
lates into an upper bound on the guessing probability, 
as required (cf. Eq. ([26]) ). We will then give a concrete 
example of an extractor for the bounded storage model 
with quantum adversaries. 

Before continuing, however, let us point out that in cer- 
tain situations, we can use the hybrid argument to show 
that the seed Y can be reused several times. This gives 
more efficient randomness extractors (under stronger as- 
sumptions about the inital cq-state pxq)- Following sim- 
ilar terminology in the literature on extractors, we intro- 
duce the following notion. 

Definition 4. A cq-state pxQ where X = {X\, . . . , X m ) 
consists of m parts is a fc-blockwise state if for all i 

I) Hi I 

H g {X l+1 ^X l Q) > k . 

We will now show how to extract multiple bits from 
such a cq-state by reusing the seed. This is interesting 
for several reasons. First, fc-blockwise states arise natu- 
rally in realistic situations such as the bounded storage 
model. We will discuss this in more detail below (cf. 
Section fVCp . Second, extractors for fc-blockwise proba- 
bility distributions are often used to construct (classical) 
extractors by transforming the input distribution to a 
fc-blockwise distribution. It might therefore be possible 
to obtain extractor constructions for the quantum case 
using similar lines of reasoning. 



Theorem IV. 2. Let e : X x y — > {0, 1} be a strong 
(k, e)- extract or, and let 

E L : X L x y m -» {0, l} Lm 

{x 1 ,...,x L ,y) i-> (E m {x liy ),...,E m (x L ,y)) , 

whe re E m : X x y rn -> {0, l} m is defined as in Theo- 
rem \IV.1[ Then 

d{E L {X L ,Y) <- YQ) < ALmy/e , 

for all (fc+rn+21ogl/ e)-blockwise states pxQ on X L ®Q, 
where p Y XQ := Pu y ® Pxq- 

Proof. With Eq. (25J) we get 

L-l 

d(E L (X L , Y) ^YQ)<J2 d i.^+i «- Z Z YQ) , (30) 

z=0 

where Z L = E L (X L ,Y). Since (Z\Y) is a function of 
(X l ,Y) and since applying functions does not increase 
the trace distance, we obtain 

L-l 

d(E L (X L , Y) ^YQ)<J2 d ( Z *+i «" xiy Q) ■ ( 31 ) 

i=0 

But d(Z i+ x <- X l YQ) = d(E m (X i+1 ,Y) <- YX l Q), and 
Prx i+1 X'Q = Pu y ® Px i+1 xiQ- Moreover, 

H g (X l+1 ^X l Q) > fc + m + 21ogl/e . 

by assumption. Thus we can apply Theorem IIV.1I and 
the claim follows. □ 



V. THE BOUNDED STORAGE MODEL WITH 
A QUANTUM ADVERSARY 

A. Bounded storage, guessing entropy and 
extractors 

In the classical version of the bounded storage model, 
the security of the extracted bits is a direct consequence 
of the property of the extractor given in Proposition [T] 
and the fact that an adversary has limited information 
about X. The latter fact is expressed by the following 
well-known proposition, whose proof we omit, as it is 
trivial. It states that an adversary who has Hq(E) bits 
of storage can not predict X well. 

Proposition 2. Let Pxe be an arbitrary distribution. 
Then 

Hg(X *- E) > H oa (X) — H (E) . 

Together with Lemma[lJ it follows that a strong (fc, e)- 
extractor has the property that d(e(X, Y) «- YE) < 2e 
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for all Pxe with 

HooiX) > k + H Q (E)+logl/e . 

Thus the security of the extracted key can be directly 
derived from the strong extractor property and the 
bounded-storage assumption. The main challenge is to 
construct strong extractors which satisfy all the addi- 
tional requirements for applicability in the bounded stor- 
age model (see Section IV Bp . 

What about quantum storage? We show that a similar 
reasoning applies; given an extractor which is character- 
ized by the guessing-entropy H g (X «- Q), the storage 
bound can be translated into a security guarantee. We 
first show that X can not be guessed by measuring Q 
when the number of qubits constituting Q is limited. 

Proposition [2j. Let pxq be a cq-state. Then 

H e (X ^Q)>H oo {X)-H {Q) . 

Proof. Consider a POVM £ := {E x ] xe x on Q that max- 
imizes the expression defining H g (X <- Q) (cf. Eq (J5J)). 
Then 

X 

X 

<2- H ~Whr(£\x){x\®E x ) . 

X 

The statement then follows from the fact that 
tr(£\x)(x\®E T ) =tr(^E x ) = tr(l s ) = 2 H ^ . 

X X 

□ 

By combining Proposition [2J with Theorem IIV.1( we 
obtain a way of constructing strong extractors for the 
bounded storage model in the presence of quantum ad- 
versaries: the statement of Theorem IIV.1I holds when 
Eq. ([26]) is replaced by the weaker condition 

H oo (X)>k + m + H (Q) + 2\ogl/e. (32) 

Before applying this result to obtain a concrete construc- 
tion, let us elaborate on a recent example which shows 
that not every strong extractor yields secure bits in the 
quantum bounded storage model. 

Remark V.l. Gavinsky, Kempe and de Wolf JEdj con- 
sider the junction 

e :{0,l} n XLu n -> {0,1} 

({x 1 ,...,x n ),{y 1 ,y 2 }) h-> x Vl ®x V2 , 

where © denotes bitwise addition modulo 2 and where 
Lj n is the set of pairs (2/1,2/2) of distinct indices 2/1,1/2 € 



{l,...,n}. They then study the function E m restricted 
to the set {0,1}™ x fl m , where il m C is the sub- 
set of disjoint m-tuples. Let us call this restriction 
E m and let Y m be uniform on f2 m . In our termi- 
nology, they show the following. There is an a ~ 
1 / \/log n such that for large enough n and m :— an, 
the quantity d(E m (X,Y m ) <- Y m E) is small for any clas- 
sical random variable E with H (E) < i/n,, whereas 
d(E m (X, Y m ) *r- Y m Q) is large if Q is quantum and 
Hq(Q) is polylogarithmic in n. 

This statement does not contradict Theorem \IV.1\ 
which can not be applied in this situation. This is be- 
cause the function E m does not have the required form. 
While Theorem MIL 1\ tells us that the difference between 
classical and quantum prior information is limited in the 
case of extractors with binary output, this example shows 
that the case of general extractors which output several 
bits is more subtle. 



B. Extractors for the bounded storage model: an 
explicit example 

In this section, we give a concrete example of a func- 
tion E : {0, 1}" x {0, 1}* -> {0, l} m which can be used in 
the bounded storage model in the presence of a quantum 
adversary. Let us first discuss what additional require- 
ments such a function has to satisfy. 

Typical parameters of the bounded storage model are 
as follows: For some 1 > a > (3 > 0, H ao (X) > an 
and Ho 03) < P n - Here, the parameter a is called the 
min- entropy rate, whereas (3 is referred to as the storage 
rate. The amount of memory available to the honest par- 
ties, Alice and Bob, on the other hand, is supposed to be 
much more limited. Typically it is assumed that they 
have only O(logn) bits of storage. Expressed differently, 
the scheme should be secure even if the adversary is sig- 
nificantly more powerful than the participating honest 
parties. 

The fact that Alice and Bob have only O(logn) bits of 
memory implies that the strong extractor must have seed 
length log \y\ — t of that order. Moreover, the extractor 
has to be (efficiently) computable with limited memory. 
This is the case if E is l-local, meaning that it only de- 
pends on a small number £ (instead of n) physical bits 
of its first argument, where the I bit locations are de- 
termined by the second argument. Note that a different 
solution to the latter problem was suggested by Lu plj . 
who considers so-called on-line computable functions. 

Due to these requirements, finding explicit, efficiently 
computable constructions for the bounded-storage model 
is a rather intrica te p roblem, which has been studied for 
some time [1, [l(J [111, [l2| . Here we consider a con- 
struction by Vadhan. By choosing the output to be a 
single bit, Theorem 8.5 in [l2j gives an £-local strong 
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(k, e)-extractor e : {0, 1}" x {0, 1}' -> {0, 1} with 

t = log n + O (log l/e) (33) 
*=™ + 0(logl/ 6 ) (34) 

for every e > exp(-n/2°( lo s* ")). 

Suppose we want to achieve an error e, using The- 
orem IIV.1I Then the error for the one-bit-extractor e 
must be upper bounded by (e/4m) 2 . Inserting this into 
Eqs. d33J) and flM} gives 

Corollary V.2. For any e > 4mexp(-n/2°( lo s* ")), 
there is an £-local function 

E:{0,1}" x {0,1}* ^{0,1}™ , 

t = mlogn + 0(m log m + mlog l/e) 

l= \'i TT + 0(mlogm + mlog l/e) , 

2 A; — m — 2 log l/e 

smc/i f/iaf d(E(X, Y") «- YQ) < e /or aZZ pxq with 

HoeiX) - H (Q) > k , 

w/iere py XQ = pu {01}d <8> Pxq- 

In terms of the min-entropy rate a and the storage- 
rate /3, our result implies that for any a > f3, there is 
an extractor which uses 0(m log n + mlog l/e) bits of 
initial key, outputs m bits with security e, and reads 
0(mlogm + mlog l/e) bits from the randomizer X. In 
comparison, the best known classical construction uses 
0(logn + log l/e) bits of key and reads 0{m + log l/e) 
from X. 



C. Independent randomizers 

In the so-called satellite scenario Q, the randomizer 
X is assumed to consist of a sequence of random bits 
that are publicly broadcast in sequence. In this sit- 
uation, it is clear that if we partition X into blocks 
X = (X\, . . . ,Xl), the random variables corresponding 
to the blocks are independent. What is more interesting 
is that if the adversary is allowed to prepare a quantum 
system Q adaptively, the resulting cq-state pxq is a k- 
blockwise state. This is a consequence of the fact that 
taking the previous blocks X % into account when stor- 
ing and retrieving information about Xi+\ does not help 
the adversary if Xi+i is independent of X 1 . We can ex- 
press this formally by the following result, with the set S 
corresponding to all states on a Hilbert space of limited 
dimension in the bounded storage model. 

Lemma 3. Let Pxx< = Px • Px> be a probability dis- 
tribution of independent random variables and let S be a 



set of states. Then 

min H g (X <- X'Q) > minH g (X <- Q) , (35) 

PXX'Q PXQ 

where the minima are over all states of the form 
Pxx'Q =^2p X X'(x,x')\x){x\ ® \x'){x'\®pi 

with Pp £ S and 

Pxq = y^Px(x)\x)(x\ ®p x , p x e S , 

x 

respectively. 

Proof. Let {p% } x ,x' be a family of states such that the 
corresponding state pxx'Q achieves the minimum on the 
l.h.s. of Eq. Then 

2 -H s (X^X'Q) = g r 2 -H s (X^Q\X'=x')l 
x>^P x , 1 

But 

2 -H g (x^ Q \x'= x ') = max P x {x)tr{E x pi) 

{E * }x xex 

= 2 -H g (X<~Q) 

where the latter expression denotes the guessing entropy 
of X given Q in the state 

PxQ= ^ p x{x)\x){x\^pi . 

xEX 

The claim directly follows from this. □ 

If the randomizer X consists of several independent 
parts X — (Xi,...,Xl) which satisfy H 00 (Xi) > 
Hq(Q) + k for all i, we can therefore use our hybrid 
construction ( Theorem IIV.2|1 in conjunction with Corol- 
lary IV. 21 As an example, consider the case where each 
of the blocks X t consists of n bits with min-entropy rate 
a. We then obtain an extractor E : {0, l} Ln x {0, 1}* — > 
{0, l} im which uses t — mO(\ogn + logL + log l/e) bits 
of initial key, reads mO(log m + log L + log l/e) bits from 
X and gives an e-secure output in the presence of an 
adversary with storage rate /3 < a. In particular, this 
construction can extend the key of the honest parties by 
more than the number of initial key bits. This implies 
that Alice and Bob end up with a longer key even if the 
adversary later learns the initial key Y. 

VI. TOMOGRAPHY-BASED APPROACH TO 
GENERAL EXTRACTORS 

The results of Section IIIII imply that the security of a 
single extracted bit is similar with respect to an adversary 
that has quantum instead of classical resources. 
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This is not true for general extractors which output 
several bits, as shown in [20| by an explicit counterex- 
ample. It is however possible to give constructions that 
extract multiple bits in a useful way, as we have shown 
in the previous section. 

Which constructions give rise to "useful" extractors in 
a quantum context? In this section, we elaborate on 
this question, showing that general extractors can be 
used in the setting of privacy amplification, if the ad- 
versary's memory is limited. Note that the setting of 
privacy amplification imposes less stringent requirements 
on the extractor than the setting of the bounded-storage 
model. Nevertheless, the only construction known to 
work in the quantum setting has been two- universal hash- 

mg mm ee is. 

While two-universal hashing has the advantage that 
it extracts all the randomness present in the source 
(i.e., the number of extracted bits can be as large as 
Hoo(X) — 21ogl/e), it requires a long seed Y, Viewed 
as an extractor, two-universal hashing has the form E : 
{0, 1}" x {0, 1}" -> {0, l} m , i.e., the seed is of the same 
length as the source X . When applied to privacy ampli- 
fication, this means that n bits need to be communicated 
from Alice to Bob. We will show below that by consider- 
ing general extractors the amount of communication can 
be reduced to approximately the number of qubits the 
adversary controls. This is important for applications 
such as the protocols proposed in [ill ]. 

We use a measurement-based approach, which bounds 
the trace distance in terms of the outcomes of a tomo- 
graphic measurement in mutually unbiased bases. More 
precisely, we will use the following lemma, whose proof 
is analogous to a proof in [24| . 

Lemma 4. Let A be a hermitian operator on Q, where 
d := dim Q = p n is a prime power. Then there is POVM 
J- such that 

imi <(d+i). ii^)n . 

We can then show the following: 

Lemma 5. Let E : X x y ^ Z be a strong (k,e)- 
extractor. Then 

d(E(X, Y) YQ) < 4 • 2 H °^ ■ e , (36) 

for all cq-states pxQ with 

H g (X <- Q) > fc + logl/e , 

and 2^°™ = p m for some prime p. 

Remark VI. 1. We point out that the condition on the 
dimension of Q can easily be dropped by using a different 
measurement than the one described in Lemma^ at the 
cost of introducing an additional constant in the exponent 
on the r.h.s. of Eg. (f3"6")> . 



Proof. By definition and Eq. ([2]), 

d(E(X,y) <-Q) = ^2 \\Pe { x, v) (z)pI - r^p Q \\ , 

where p y is the conditional state p y := PQ\E(x,y)=z for all 
(2/1 z) ey x Z. By Lemma SI we get 

d(E(X,y)^Q) 

< 2 H o{ Q) + l J- \\P E{Xty) { Z )T{p*) - ^-HRq)\\ , 

zez ' ' 

and thus by taking the expectation over y <— Py with 
Eq. © (see also Eq. fAl) ) 

d(E(X, Y) <- YQ) < 2 H ° {Q ^ +1 d(E(X, Y) «- YT(Q)) . 

The claim then follows from Proposition [TJ . □ 

This lemma shows that in principle, any strong {k, e)- 
extractor with suitable parameters can be used for pri- 
vacy amplification. We illustrate this using a construc- 
tion by Srinivasan and Zuckerman [28j for simplicity, but 
we point out that using constructions from [29j |. it is 
possible to reduce the randomness required for privacy 
amplification even further. They give an efficiently com- 
putable strong (k, e)-extractor E : {0, 1}" x {0, 1}* — > 
{0, l} m for any fc, to, e with k > m + 2 log 1/e + 2, where 
t = 2(k + to) + O(logn). Applying this to a situation 
where the adversary is given at most d > Hq(Q) qubits 
of storage, we obtain an efficiently computable function 
E : {0, 1}" x {0, 1}* -> {0, l} m which uses only 

t = 4(d + to + log 1/e + 3) + 0(log n) 

bits of seed and satisfies d(E(X, Y) «- YQ) < e whenever 

H ao (X) > TO + 4d + 31ogl/e + 8 . 

For certain parameters, this construction is more efficient 
in terms of the seed length t than the local extractor 
described in Corollary IV. 21 

VII. CONCLUSIONS 

While Holevo's celebrated theorem implies that n 
quantum bits can not be used to store more than n classi- 
cal bits reliably, this result is in general not applicable in 
cryptography, where even partial information can make a 
difference. Indeed, numerous examples are known where 
quantum bits are more powerful than the same number 
of classical bits (see e.g., 0, [H El [U). In this light, 
it is natural to study the potential advantage offered by 
quantum information with respect to specific tasks. 

We have taken a step in this direction by showing that 
certain schemes for the bounded storage model which are 
secure in the presence of classical adversaries are also se- 
cure in the presence of adversaries who are in control of 
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quantum storage. Surprisingly, the corresponding secu- 
rity parameters are almost the same for the quantum and 
the classical case when only a single bit is extracted. It is 
straightforward to extend and reformulate this result in 
terms of communication complexity. It then states that 
there can not be a large separation between the one-way 
average-case quantum and classical communication com- 
plexities of a boolean function. 

This is in sharp contrast to the case of extractors which 
output several bits. There are extractors that provide 
security in the classical bounded-storage modehbut can 
not safely be used against quantum adversaries [20| . Nev- 
ertheless, it is possible to give a family of constructions 
that yield secure bits; this is our main contribution. 

While our extractors provide security against quantum 
adversaries, their parameters are far from optimal. Fu- 
ture work can focus on improving these constructions. 
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APPENDIX A: PROPERTIES OF THE 
NONUNIFORMITY 

We summarize a few properties of the non-uniformity 
in this section. 

The non-uniformity d(Z *- W) of Z given W can be 
viewed as the average distance of the conditional distri- 
bution Pz\w=w to the uniform distribution, for a random 
choice of w <— Pw , that is 

d(Z ^W)= E [d(Z\W = w)} (Al) 

W^P\y 

More generally, for a ccq-state pzwQ, where W and Q 
are not necessarily independent, the non- uniformity of 
Z given WQ can be written as an average of the corre- 
sponding non-uniformities with respect to the conditional 
states Pzq\w=w This is a direct consequence of Eq. |2]). 
In formula, we have 

d(Z <- WQ) = E [d(Z «- Q\W = w)] . (A2) 

W< PW 



In particular, we can write 

d(E(X, Y) ^YQ) = E [d(E(X, y) <- Q\Y = y)] , 

(A3) 

where the term in brackets is equal to d(E(X,y) «- Q) 
when Y and Q are independent (which is usually the 
case in this paper). 

Finally, we point out that conditioning on indepen- 
dent random variables leaves the non-uniformity invari- 
ant, that is 

d(Z «- VQ) = d(Z «- Q) , (A4) 
if Pzqv = Pzq ® Pv- This follows from Eq. I|A2[) . 



APPENDIX B: PROOFS OF SECTION [IT] 

Proof of Proposition [7J Consider a random variable X 
defined by a channel P X \ E which takes a value x for 

which Px\E=e( x ) = 2~ Hac -( x \ E=e ^ with certainty, for ev- 
ery e € £ . Clearly, we have 

2 -H e (X^E) = pr[x = £ ]= £ r 2 -H»(X|iJ=e)1 _ 

By Markov's inequality and Eq. (U|), this implies that 
Pr [H 00 (X\E = e)<H e (X<-E)-\ogl/e]<e. 

The result then follows by convexity, using the fact that 
d(E(X, Y) *- YE) = E [d(E(X,Y) <- Y\E = e)\ be- 

e^P E 

cause of Eq. (|Al~j) . □ 

Lemma [1] can be seen as a special case of Lemma [TJ. 
Their proofs are analogous, but we include both here, as 
the classical proof is instructive for the quantum gener- 
alization. 

Proof of LemmaUi Let a VfW := 2- H ^ x ^ E \ v=v ' W=w '> for 
all (v, in) e V x W. By definition, 

0>v,w = ^ PE\V=v,W=w( e ) ™?xPx\E=e,V=v,W=w( x ) ■ 
e£S X 

In particular, 

P vw (v,w)a VtW = V P E vw(e,v,w) maxP x \E=e,v=v,w=' 

* — ' x^X 

= maxP X EVw(x, e, v, w) 

z — * x£X 



But by summing over w G W 

PxEVw(x,e,v,w) < P X Ev(x,e,v) 
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and thus 

Pvw(v,w)a VtW < P v (v)y^P B \ v = v (e)maxP x \v=v,E=e(x) 

c — ' x(EX 
e££ 

= Pv(v)2~]PE(e) max P x \E=e(x) 

* — ' x£X 



We thus have 



(v,w)<— Pvw 



= P v (v)2- H ^ x ^ 

where we used the independence of XE and V in the 
second step and the definition of H g (X «- E) to obtain 
the last identity. We conclude that 



E [, 

It is easy to see that 
E 



r 1 _ o-Hs(X^VWE) 
l Ui v,w\ — ^ ) 



which proves our first claim. We then use Markov's in- 
equality to obtain 



Pr 

(v,w)*~- P V \V 



n > Kna(W)-H g (X^E) 

e 



< e 



[a v , w ]<2 H °W Pxv{x,v)tr{F* Px ) 

{x,v)£XxV 
v<—Pv L * — ' 

(B3) 



But for every v E V, 

Px\v= v (xMF v xPx ) = ]T P x (x)tr(F- Px ) 



x£X 



xGX 
< 2 -H e (X^Q) 



(B4) 



by the assumption that pxv = Px <8 pv, and the def- 
inition of the latter quantity. Combining Eqs. (|B4p 
with (|B3]) and (|B2]) gives 

j-^fX^VWQ) = E r j < 2 Ho(W)-H g (X^Q) ^ 

(v,w)^Pyw 

and the first claim follows. The second claim follows from 
Markov's inequality, as in the proof of Lemma [TJ □ 



which is our second claim. 



□ 



Proof of Lemma]]]. By assumption, Pxvwq has the 
form 

Pxvwq = E P X vw{xvw)\xvw)(xvw\® p x . 

For every (v,w) £ V x W, let £ v ' w := {E^ w } xeX be the 
POVM which maximizes the expression in the definition 
of H g (X <- Q\V = v,W — w). We define the operators 
{F-}xex by 

pv ._ 2~ -Hi) (WO ^ ' pv,w 

It is easy to see that T v := {-F^se* forms a POVM 
for every v € V, and the operator inequality -KjJ'™ < 

2 H (W)pv hold ^ j n particu l ar; 

tr{El' w p x ) < 2 ff °Wtr(F x > x ) (Bl) 

for all (x, u, «;) G X x V x W. Let us introduce the 
abbreviation 

eV™ := 2-^(^-QI^^=-) . (B2) 
for every (v, w) S V x W. By definition and Eq. (|B1[) . 

= E -Px|y=D,w=«)(a ; )ti'(i?^' I1 'pa:) 

< 2 ff °W ^ PA:|v=«,w=»(a:)tr(^fe) • 

16* 



APPENDIX C: PROOF OF REFINEMENT 
LEMMA 



In the proof of Theorem lHI.ll we have used the fact that 
applying classical post-processing after a measurement F 
does not increase the non-uniformity. We state this as a 
lemma; the proof is trivial and follows from the triangle 
inequality. 

Lemma 6. Let Pe\x be a channel, and let T := 
{Fx}xex be a POVM on Q. Define the operators 

E e := P E \x=x(e)F x 
xex 

for every e € £ ■ Then £ := {E e } e£ £ is a POVM, and 
for any cq-state pzq, 

d(Z<-£(Q)) <d{Z^T{Q)). 

Proof. It is trivial to check that £ is indeed a POVM. By 
definition, 

d(Z <-£(Q)) = \\PZ£(Q) - Pu z ® P£(Q)\\ 

= \ E ( C1 ) 

(z,e)GZx£ 

where 

a z , e ■= ||tr((|z)(z| ® E e )p ZQ ) - J-tr(£ e p Q )|| . 
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By the definition of E e and the triangle inequality, Combining this with Eq. (|C1|) gives the claim. □ 

a z , e < P E\x= x {e)\M{\z){z\®F x )pz Q )-^MF x p Q )\\ . 

xEX ' ' 
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